Azure-Samples
diff --git a/‎5-AccessControl/1-call-api-roles/API/app.js
+66-22 b/‎5-AccessControl/1-call-api-roles/API/app.js
+66-22
diff --git a/‎5-AccessControl/1-call-api-roles/API/auth/permissionUtils.js
+63 b/‎5-AccessControl/1-call-api-roles/API/auth/permissionUtils.js
+63
diff --git a/‎5-AccessControl/1-call-api-roles/API/authConfig.js
+44 b/‎5-AccessControl/1-call-api-roles/API/authConfig.js
+44
diff --git a/‎5-AccessControl/1-call-api-roles/API/authConfig.json
-48 b/‎5-AccessControl/1-call-api-roles/API/authConfig.json
-48
diff --git a/‎5-AccessControl/1-call-api-roles/API/controllers/dashboard.js
+25-4 b/‎5-AccessControl/1-call-api-roles/API/controllers/dashboard.js
+25-4
@@ -1,43 +1,87 @@
 const express = require('express');
 const morgan = require('morgan');
 const cors = require('cors');
+
 const passport = require('passport');
+const passportAzureAd = require('passport-azure-ad');
 
-const config = require('./authConfig');
+const authConfig = require('./authConfig');
 const router = require('./routes/router');
+
 const routeGuard = require('./utils/guard');
 
-const BearerStrategy = require('passport-azure-ad').BearerStrategy;
-
-const options = {
-    identityMetadata: `https://${config.metadata.authority}/${config.credentials.tenantID}/${config.metadata.version}/${config.metadata.discovery}`,
-    issuer: `https://${config.metadata.authority}/${config.credentials.tenantID}/${config.metadata.version}`,
-    clientID: config.credentials.clientID,
-    audience: config.credentials.clientID, // audience is this application
-    validateIssuer: config.settings.validateIssuer,
-    passReqToCallback: config.settings.passReqToCallback,
-    loggingLevel: config.settings.loggingLevel,
-};
-
-const bearerStrategy = new BearerStrategy(options, (token, done) => {
-    // Send user info using the second argument
-    done(null, {}, token);
-});
+const { requiredScopeOrAppPermission } = require('./auth/permissionUtils');
 
 const app = express();
 
+/**
+ * Enable CORS middleware. In production, modify as to allow only designated origins and methods.
+ * If you are using Azure App Service, we recommend removing the line below and configure CORS on the App Service itself.
+ */
+app.use(cors());
+
 app.use(morgan('dev'));
+app.use(express.urlencoded({ extended: false }));
 app.use(express.json());
-app.use(cors());
+
+const bearerStrategy = new passportAzureAd.BearerStrategy(
+    {
+        identityMetadata: `https://${authConfig.metadata.authority}/${authConfig.credentials.tenantID}/${authConfig.metadata.version}/${authConfig.metadata.discovery}`,
+        issuer: `https://${authConfig.metadata.authority}/${authConfig.credentials.tenantID}/${authConfig.metadata.version}`,
+        clientID: authConfig.credentials.clientID,
+        audience: authConfig.credentials.clientID, // audience is this application
+        validateIssuer: authConfig.settings.validateIssuer,
+        passReqToCallback: authConfig.settings.passReqToCallback,
+        loggingLevel: authConfig.settings.loggingLevel,
+        loggingNoPII: authConfig.settings.loggingNoPII,
+    },
+    (req, token, done) => {
+        /**
+         * Below you can do extended token validation and check for additional claims, such as:
+         * - check if the caller's tenant is in the allowed tenants list via the 'tid' claim (for multi-tenant applications)
+         * - check if the caller's account is homed or guest via the 'acct' optional claim
+         * - check if the caller belongs to right roles or groups via the 'roles' or 'groups' claim, respectively
+         *
+         * Bear in mind that you can do any of the above checks within the individual routes and/or controllers as well.
+         * For more information, visit: https://docs.microsoft.com/azure/active-directory/develop/access-tokens#validate-the-user-has-permission-to-access-this-data
+         */
+        if (
+            requiredScopeOrAppPermission(token, [
+                ...authConfig.protectedRoutes.todolist.delegatedPermissions.read,
+                ...authConfig.protectedRoutes.todolist.delegatedPermissions.write,
+                ...authConfig.protectedRoutes.todolist.applicationPermissions.read,
+                ...authConfig.protectedRoutes.todolist.applicationPermissions.write,
+            ])
+        ) {
+            /**
+             * If needed, pass down additional user info to route using the second argument below.
+             * This information will be available in the req.user object.
+             */
+            return done(null, {}, token);
+        } else {
+            return done(new Error('Unauthorized'), {}, 'Unauthorized');
+        }
+    }
+);
 
 app.use(passport.initialize());
 
 passport.use(bearerStrategy);
 
 // Validates token, checks for role and serve
-app.use('/api',
-    passport.authenticate('oauth-bearer', { session: false }),
-    routeGuard(config.accessMatrix),
+app.use(
+    '/api',
+    passport.authenticate('oauth-bearer', {
+        session: false,
+        /**
+         * If you are building a multi-tenant application and you need supply the tenant ID or name dynamically, uncomment
+         * the line below and pass in the tenant information. For more information, see:
+         * https://github.com/AzureAD/passport-azure-ad#423-options-available-for-passportauthenticate
+         */
+
+        // tenantIdOrName: <some-tenant-id-or-name>
+    }),
+    routeGuard(authConfig.accessMatrix),
     router
 );
 
@@ -47,4 +91,4 @@ app.listen(port, () => {
     console.log('Listening on port ' + port);
 });
 
-module.exports = app;
+module.exports = app;
@@ -0,0 +1,63 @@
+/**
+ * Ensures that the access token has at least one allowed permission.
+ * @param {Object} accessTokenPayload: Parsed access token payload
+ * @param {Array} allowedPermissions: list of allowed permissions i.e. delegated + application
+ * @returns {boolean}
+ */
+exports.requiredScopeOrAppPermission = (accessTokenPayload, allowedPermissions) => {
+    /**
+     * Access tokens that have neither the 'scp' (for delegated permissions) or
+     * 'roles' (for application permissions) claim are not to be honored.
+     *
+     * An access token issued by Azure AD will have at least one of the two claims.
+     * To determine whether an access token was issued to a user (i.e delegated) or an application
+     * more easily, we recommend enabling the optional claim 'idtyp'. For more information, see:
+     * https://docs.microsoft.com/azure/active-directory/develop/access-tokens#user-and-application-tokens
+     */
+
+    if (!accessTokenPayload.hasOwnProperty('scp') && !accessTokenPayload.hasOwnProperty('roles')) {
+        return false;
+    } else if (accessTokenPayload.hasOwnProperty('scp')) {
+        return accessTokenPayload.scp.split(' ').some((scope) => allowedPermissions.includes(scope));
+    } else if (accessTokenPayload.hasOwnProperty('roles')) {
+        return accessTokenPayload.roles.some((role) => allowedPermissions.includes(role));
+    }
+};
+
+/**
+ * Ensures that the access token has the required delegated permissions.
+ * @param {Object} accessTokenPayload: Parsed access token payload
+ * @param {Array} requiredPermission: list of required permissions
+ * @returns {boolean}
+ */
+exports.hasDelegatedPermissions = (accessTokenPayload, requiredPermission) => {
+    if (!accessTokenPayload.hasOwnProperty('scp')) {
+        console.log('Access token does not have scp claim');
+        return false;
+    }
+
+    if (accessTokenPayload.scp.split(' ').some((claim) => requiredPermission.includes(claim))) {
+        return true;
+    }
+
+    return false;
+};
+
+/**
+ * Ensures that the access token has the required application permissions.
+ * @param {Object} accessTokenPayload: Parsed access token payload
+ * @param {Array} requiredPermission: list of required permissions
+ * @returns {boolean}
+ */
+exports.hasApplicationPermissions = (accessTokenPayload, requiredPermission) => {
+    if (!accessTokenPayload.hasOwnProperty('roles')) {
+        console.log('Access token does not have roles claim');
+        return false;
+    }
+
+    if (accessTokenPayload.roles.some((claim) => requiredPermission.includes(claim))) {
+        return true;
+    }
+
+    return false;
+};
@@ -0,0 +1,44 @@
+const passportConfig = {
+    credentials: {
+        tenantID: 'Enter_the_Tenant_Info_Here',
+        clientID: 'Enter_the_Application_Id_Here',
+    },
+    metadata: {
+        authority: 'login.microsoftonline.com',
+        discovery: '.well-known/openid-configuration',
+        version: 'v2.0',
+    },
+    settings: {
+        validateIssuer: true,
+        passReqToCallback: true,
+        loggingLevel: 'info',
+        loggingNoPII: false,
+    },
+    protectedRoutes: {
+        todolist: {
+            endpoint: '/api',
+            delegatedPermissions: {
+                read: ['Todolist.Read', 'Todolist.ReadWrite'],
+                write: ['Todolist.ReadWrite'],
+            },
+            applicationPermissions: {
+                read: ['Todolist.Read.All', 'Todolist.ReadWrite.All'],
+                write: ['Todolist.ReadWrite.All'],
+            },
+        },
+    },
+    accessMatrix: {
+        todolist: {
+            path: '/todolist',
+            methods: ['GET', 'POST', 'PUT', 'DELETE'],
+            roles: ['TaskUser', 'TaskAdmin'],
+        },
+        dashboard: {
+            path: '/dashboard',
+            methods: ['GET'],
+            roles: ['TaskAdmin'],
+        },
+    },
+};
+
+module.exports = passportConfig;
@@ -3,9 +3,30 @@ const FileSync = require('lowdb/adapters/FileSync');
 const adapter = new FileSync('./data/db.json');
 const db = lowdb(adapter);
 
-exports.getAllTodos = (req, res) => {
-    const todos = db.get('todos')
-        .value();
+const { hasDelegatedPermissions, hasApplicationPermissions } = require('../auth/permissionUtils');
+
+const authConfig = require('../authConfig');
+
+exports.getAllTodos = (req, res, next) => {
+     if (hasDelegatedPermissions(req.authInfo, authConfig.protectedRoutes.todolist.delegatedPermissions.read)) {
+        try {
+
+            const todos = db.get('todos').value();
+            res.status(200).send(todos);
+
+        }catch(error) {
+             next(error);
+        }
+     }else if(hasApplicationPermissions(req.authInfo, authConfig.protectedRoutes.todolist.applicationPermissions.read)) {
+        try  {
+             const todos = db.get('todos').value();
+             res.status(200).send(todos);
+
+        }catch(error) {
+            next(error);
+        }
+     }else {
+        next(new Error('User or application does not have the required permissions'));
+     }
 
-    res.status(200).send(todos);
 }